On Tue, Nov 14, 2006 at 03:01:24PM -0500, Gregory Maxwell wrote:
On 11/14/06, Timwi timwi@gmx.net wrote:
That's the wrong question. A better set of questions would be:
- Does every project have at least one sysop/bureaucrat who can spot
"evil" Java resources?
- Does every sysop/bureaucrat who does not have this skill, acknowledge
that they don't and consequently leave the approval queue alone? (from your message, it appears that you do, so you're fine)
It's not a question of skill: No matter how skilled no human can tell a malicious java app in binary form from a good java app.
Only through a careful audit of the source code could we expect to have any confidence... and thats a question of both time and skill...
. . . and at that point, you're back to wondering if the sysops/bureaucrats who don't have the skill will leave the approval queue alone. Since this is a preventative measure, and not an active measure, it introduces problems later down the road, because the real question isn't "Does every sysop/bureaucrat who does not have the skill acknowledge that they don't and consequently leave the approval queue alone?" Instead, the question is:
"Will every sysop/bureaucrat forevermore who does not have the skill be reasonably expected that they don't have the skill and consequently leave the approval queue alone, or do we think there's a nontrivial likelihood that new sysops/bureaucrats will potentially become a problem in this regard in the future?"
Unfortunately, if you want something approaching complete safety in this regard, I don't think you're going to get it. I guess it all depends on how much you're willing to risk it.